[Bug 64731] New: change log message for authorization checks in mod_authz_host

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64731] New: change log message for authorization checks in mod_authz_host

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64731

            Bug ID: 64731
           Summary: change log message for authorization checks in
                    mod_authz_host
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_host
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Created attachment 37446
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37446&action=edit
Improve log message for mod_authz_host authorization checks

mod_authz_host has several authorization checks, which contain four
authorization checks for client's address, with functions
ip_check_authorization()
host_check_authorization()
forward_dns_check_authorization()
local_check_authorization()

These functions only have log messages for syntax checks, but do not log the
authorization check result even though the authorization check fails. The
authorization result will be logged at DEBUG level which is usually disabled.

I would suggest add the log messages when the authorization check fails, which
pinpoints the root cause of authorization failure and saves sysadmins' time for
troubleshooting. For example

@@ -287,6 +294,9 @@ forward_dns_check_authorization(request_rec *r,
         }
     }

+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+            "authz_host authorize: Authorization of require forward-dns
failed: "
+            "client's address is not resolved from the require'd host name");
     return AUTHZ_DENIED;
 }

Adding the log before return AUTHZ_DENIED can clearly tell the sysadmin the
root cause of the authorization failure.

I also added the logs for the ip/host/local checks, and submitted as
attachment. Any feedbacks are appreciated!

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64731] change log message for authorization checks in mod_authz_host

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64731

Bingyu Shen <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]